enhance: automate GitHub variable setting and NPM token storage in setup script

PaulDuvall · claude · PaulDuvall · commit 23ad05fd07f4 · 2025-08-20T17:28:11.000-04:00
- Add automatic GitHub repository variable configuration using GitHub CLI - Add interactive NPM token input with secure hidden prompt - Support environment variable NPM_TOKEN for non-interactive setup - Include fallback instructions when GitHub CLI unavailable - Update documentation with three setup options (automated, env var, manual) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/docs/npm-ssm/README.md b/docs/npm-ssm/README.md
@@ -4,20 +4,35 @@ Store NPM tokens securely in AWS SSM and use them in GitHub Actions.
 
 ## Setup (one-time)
 
+**Option 1: Fully automated**
 ```bash
-# 1. Run setup script
+# Run the setup script - it does everything!
 ./scripts/setup-npm-ssm.sh
 
-# 2. Set GitHub variables (copy commands from script output)
-gh variable set AWS_ROLE --body 'arn:aws:iam::ACCOUNT:role/github-actions-npm-REPO'
-gh variable set AWS_REGION --body 'us-east-1'
+# The script will:
+# 1. Create AWS OIDC provider and IAM role
+# 2. Set GitHub repository variables 
+# 3. Prompt for your NPM token and store it securely
+```
+
+**Option 2: With environment variable**
+```bash
+# Set your NPM token as an environment variable
+export NPM_TOKEN="npm_your_token_here"
 
-# 3. Store your NPM token
-aws ssm put-parameter \
-  --name '/npm/token' \
-  --value 'npm_YOUR_TOKEN_HERE' \
-  --type SecureString \
-  --region us-east-1
+# Run setup script (won't prompt for token)
+./scripts/setup-npm-ssm.sh
+```
+
+**Option 3: Manual fallback**
+If the script can't set GitHub variables automatically:
+```bash
+# Run setup script first
+./scripts/setup-npm-ssm.sh
+
+# Then manually run the commands it outputs
+gh variable set AWS_ROLE --body 'arn:aws:iam::ACCOUNT:role/...'
+gh variable set AWS_REGION --body 'us-east-1'
 ```
 
 ## How it works
diff --git a/scripts/setup-npm-ssm.sh b/scripts/setup-npm-ssm.sh
@@ -1,14 +1,18 @@
 #!/bin/bash
-# Simple setup for NPM token storage in AWS SSM
+# Complete setup for NPM token storage in AWS SSM
 
 set -e
 
 # Get repo info
 REPO=$(git remote get-url origin | sed 's/.*github.com[:/]\(.*\)\.git/\1/')
 ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
 ROLE_NAME="github-actions-npm-${REPO//\//-}"
+REGION=${AWS_REGION:-us-east-1}
 
-echo "🔧 Setting up AWS for $REPO..."
+echo "🔧 Setting up NPM token management for $REPO..."
+
+# Step 1: Create AWS resources
+echo "1️⃣ Creating AWS resources..."
 
 # Create OIDC provider (idempotent)
 aws iam create-open-id-connect-provider \
@@ -48,11 +52,73 @@ aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name SSMReadNPM \
 
 ROLE_ARN="arn:aws:iam::$ACCOUNT:role/$ROLE_NAME"
 
-echo "✅ Setup complete!"
+# Step 2: Set GitHub variables automatically
+echo "2️⃣ Setting GitHub repository variables..."
+
+if command -v gh >/dev/null 2>&1; then
+  if gh auth status >/dev/null 2>&1; then
+    gh variable set AWS_ROLE --body "$ROLE_ARN"
+    gh variable set AWS_REGION --body "$REGION"
+    echo "✅ GitHub variables configured"
+  else
+    echo "⚠️  GitHub CLI not authenticated. Run: gh auth login"
+    echo "   Then manually set variables:"
+    echo "   gh variable set AWS_ROLE --body '$ROLE_ARN'"
+    echo "   gh variable set AWS_REGION --body '$REGION'"
+  fi
+else
+  echo "⚠️  GitHub CLI not installed. Install with: brew install gh"
+  echo "   Then manually set variables:"
+  echo "   gh variable set AWS_ROLE --body '$ROLE_ARN'"
+  echo "   gh variable set AWS_REGION --body '$REGION'"
+fi
+
+# Step 3: Prompt for NPM token and store it
+echo "3️⃣ Storing NPM token..."
+
+if [ -n "$NPM_TOKEN" ]; then
+  # Token provided via environment variable
+  aws ssm put-parameter \
+    --name '/npm/token' \
+    --value "$NPM_TOKEN" \
+    --type SecureString \
+    --region "$REGION" \
+    --overwrite 2>/dev/null || aws ssm put-parameter \
+    --name '/npm/token' \
+    --value "$NPM_TOKEN" \
+    --type SecureString \
+    --region "$REGION"
+  echo "✅ NPM token stored from environment variable"
+else
+  # Prompt for token
+  echo ""
+  echo "📝 Please enter your NPM token:"
+  echo "   (Get it from: https://www.npmjs.com/settings/tokens)"
+  read -s -p "NPM Token: " USER_NPM_TOKEN
+  echo ""
+  
+  if [ -n "$USER_NPM_TOKEN" ]; then
+    aws ssm put-parameter \
+      --name '/npm/token' \
+      --value "$USER_NPM_TOKEN" \
+      --type SecureString \
+      --region "$REGION" \
+      --overwrite 2>/dev/null || aws ssm put-parameter \
+      --name '/npm/token' \
+      --value "$USER_NPM_TOKEN" \
+      --type SecureString \
+      --region "$REGION"
+    echo "✅ NPM token stored securely in SSM"
+  else
+    echo "⚠️  No token provided. Store manually with:"
+    echo "   aws ssm put-parameter --name '/npm/token' --value 'YOUR_TOKEN' --type SecureString --region $REGION"
+  fi
+fi
+
 echo ""
-echo "1. Set GitHub variables:"
-echo "   gh variable set AWS_ROLE --body '$ROLE_ARN'"
-echo "   gh variable set AWS_REGION --body 'us-east-1'"
+echo "🎉 Setup complete! Your NPM token is now:"
+echo "   ✅ Stored encrypted in AWS SSM"
+echo "   ✅ Accessible via GitHub Actions OIDC"
+echo "   ✅ Ready for automatic NPM publishing"
 echo ""
-echo "2. Store NPM token:"
-echo "   aws ssm put-parameter --name '/npm/token' --value 'YOUR_NPM_TOKEN' --type SecureString --region us-east-1"
+echo "💡 Test by pushing code - the workflow will automatically publish!"
